[Suggested description]
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25.
Clients can authenticate themselves to the device using a username and
password. These credentials can be obtained through an unauthenticated
web request, e.g., for a JavaScript file. Also, the
disclosed information includes
the SSID and WPA2 key for the Wi-Fi
network the device is connected to.

------------------------------------------

[Additional Information]
The disclosed information can be functionally used by an attacker to remotely gain access to normal camera functionality. (e.g. watch in someone's room over the internet)

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
Luvion

------------------------------------------

[Affected Product Code Base]
Luvion Grand elite 3 connect - Cannot be determined

------------------------------------------

[Affected Component]
Webserver running on the device.

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[CVE Impact Other]
Authentication bypass

------------------------------------------

[Attack Vectors]
An attacker can simply browse to the device and retrieve the passwords.

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of the Consumentenbond

------------------------------------------

[Reference]
N/A
Use CVE-2020-11926.